Access limited EMM distribution lists

ABSTRACT

An electronic mail message (EMM) addressed to a distribution list of an enterprise is received at a server of the enterprise from a sending address outside of the enterprise. If the distribution list has no external addresses, then the EMM is blocked from being delivered to the distribution list. In an embodiment, if the distribution list has an external address and the sending address is identified in a safe sender list corresponding to the distribution list, then the EMM is delivered to the distribution list. In an embodiment, if the distribution list has an external address, the sending address is not in a safe sender list corresponding to the distribution list, and the content of the message is approved, then the EMM is delivered to the distribution list.

BACKGROUND

A distribution list is a list of members to whom an electronic mailmessage (EMM) delivered to the distribution list is passed on to. Adistribution list allows a user to efficiently send an EMM to a list ofaddresses. An EMM may include, for example, an email, an instant message(IM), a short message service (SMS) message, multimedia content,hyperlinks to remote content, a meeting request, a task, or anappointment. In operation, the user prepares a single EMM, addresses itto the distribution list, and sends it. When the EMM is delivered to thedistribution list, the EMM is forwarded to the addresses in thedistribution list. The owners corresponding to the addresses in adistribution list typically share a common trait such as a politicalinterest, a common business purpose, or a common set of friends. In abusiness setting, distribution lists are typically created for an entirecompany, each department of the company, each project group, and jointdevelopment projects including employees inside of the company andpartners outside of the company.

Distribution lists are categorized as external or internal based onwhether the addresses in the list are inside or outside of an enterpriseassociated with the list. An enterprise may be any computer networkingstructure such as a domain, collection of domains, or otherorganization. An example of an enterprise is the computer network of acompany. Internal addresses are addresses inside of the enterpriseassociated with the distribution list, and external addresses areaddresses outside of the enterprise associated with the distributionlist. An internal distribution list has only internal addresses. Anexternal list has at least one external address and may include anynumber of internal and external addresses. Some embodiments of anenterprise may store an authoritative list of domains in the enterpriseand/or a global address list (GAL). To determine whether an address isinternal or external to the enterprise, the enterprise may compare theaddress to the authoritative list of domains and/or the GAL. Forexample, the domain of an internal address would be found in theauthoritative list of domains, and the complete address would be foundin the GAL.

Distribution lists are also categorized as open or closed based on theavailability of the distribution list to senders outside of anenterprise (i.e., owners of addresses external to the enterprise)associated with the distribution list. An open distribution list isavailable to senders outside of the enterprise (e.g., addresses outsideof the company can send EMM to the distribution list). A closeddistribution list is a distribution list that is denied to sendersoutside of the enterprise (e.g., addresses outside of the company cannotsend EMM to the distribution list). In existing EMM systems, internaldistribution lists are typically closed, and external distribution listsare typically open.

Open distribution lists can be used to distribute unwanted EMM (i.e.,spam) because anyone on the Internet can send EMM to the list. Inexisting EMM systems, some external distribution lists are closed toreduce spamming, but this means that owners of external addresses on thedistribution list cannot send EMM to the distribution list.

Some existing EMM systems use access control lists to limit access todistribution lists. An access control list is a list associated with afile, such as a distribution list, that contains information about whichusers or groups have permission to access or modify the file. Accesscontrol lists are generated and modified by system administrators tocontrol user access to network resources, such as servers, directories,and files. Users other than administrators do not typically havepermission to modify access control lists and even if they did have suchpermission, most users are not able to manipulate an access control listto achieve the desired results (e.g., changing which owners of addressesin a distribution list are allowed to send EMM to the distribution listor modify the access control list).

SUMMARY

Embodiments of the present invention allow users and administrators tolimit which external users can send EMM to an otherwise open externaldistribution list. In particular, embodiments of the invention includesystems and methods for processing EMM received at a server of anenterprise from a sending address outside of the enterprise addressed toa distribution list of the enterprise. The enterprise stores a pluralityof safe sender lists, each corresponding to an external distributionlist of the enterprise, wherein each safe sender list identifiesexternal addresses authorized to send EMM to its corresponding externaldistribution list. The server receives the EMM, and determines whetherthe addressed distribution is internal or external. If the distributionlist is internal (i.e., has only internal addresses), then the EMM isblocked from being delivered to the distribution list. In someembodiments, if the distribution list is external (i.e., has at leastone external address) and the sending address is on a safe sender listcorresponding to the addressed distribution list, then the EMM isdelivered to the distribution list.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used as an aid in determining the scope of the claimed subjectmatter.

Other features will be in part apparent and in part pointed outhereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an exemplary block diagram illustrating a system forprocessing EMM received at a server of an enterprise addressed to adistribution list of the enterprise.

FIG. 2 is an exemplary flow chart illustrating operation of a method ofprocessing an EMM received at a server of an enterprise addressed to adistribution list of the enterprise.

Corresponding reference characters indicate corresponding partsthroughout the drawings.

DETAILED DESCRIPTION

In one embodiment, the invention includes a system for processing an EMMreceived at an enterprise. In particular, the invention includes asystem for processing an EMM addressed to a particular distribution listof the enterprise from a sending address outside of the enterprisewherein the particular distribution list is one of a plurality ofdistribution lists of the enterprise including internal distributionlists having only internal addresses and external distribution listshaving internal and external addresses. The system blocks the EMM if theparticular distribution list does not have external addresses. Thesystem delivers the EMM to the distribution list without filtering theEMM based on content if the sending address is on a safe sender listcorresponding to the particular distribution list.

Referring to FIG. 1, a system 100 according to one embodiment of theinvention is shown wherein a user 102 interacts with a user computer 104inside of an enterprise 116 to create a distribution list 106 and acorresponding safe sender list 108. As noted below, instructions on theuser computer 104 may automatically create or edit the safe sender list108 and include all of the external addresses of the distribution list106, or the user 102 may manually create or edit the safe sender list108. The distribution list 106 and corresponding safe sender list 108may also be pre-existing and the user 102 may interact with the usercomputer 104 to modify one or both. Additionally, the distribution list106 and/or its corresponding safe sender list 108 may be modified basedon the contents of an EMM sent to the distribution list 106 by a usersuch as user 102. For example, if the user 102 sends an email to thedistribution list 106 and includes an external address not already inthe distribution list 106 in the address line of the email, then theuser computer 104 adds the external address to the distribution list 106and the corresponding safe sender list 108. The system may also allowremove an address from the distribution list 106 in response to anemail. For example, the user 102 may send an email or some other EMM tothe distribution list 106 wherein the body or some other portion of theEMM such as the subject line of the email includes a minus or othersymbol or symbols indicating that the sender wishes to remove theaddress from the distribution list 106 and an address in thedistribution list 106. In response to the email, the user computer 104would remove the address from the distribution list 106 and thecorresponding safe sender list 108 (assuming that the address is in thesafe sender list 108). A user corresponding to the removed address isthus no longer subscribed to, or unsubscribed from, the distributionlist 106. For example, in another embodiment, the user 102 mayunsubscribe from the distribution list 106 by sending an emailcontaining the word “unsubscribe” in the subject line to thedistribution list 106. In yet another embodiment, there may be a specialunsubscribe address associated with each distribution list 106 such thatusers having addresses on the distribution list 106 can unsubscribe bysending an EMM to the special unsubscribe address. In anotherembodiment, a special unsubscribe address could be associated with aplurality of distribution lists, such that a user may unsubscribe fromsome or all of the distribution lists of an enterprise by sending an EMMto the special unsubscribe address.

A synchronization utility 110 copies the user created (or modified)distribution list 106 and corresponding safe sender list 108 to servers(e.g. mailbox database server 112 and edge server 114) of the enterprise116. The enterprise 116 may contain any number of edge servers, mailboxdatabase servers, administrators, user computers, and users, as well asother computer network components, and the enterprise 116 may becomposed of any number of domains. The synchronization utility 110 mayor may not update information on the mailbox database server 112 andedge server 114 in real time as a user 102 or administrator 126 modifiesthe distribution and safe sender lists. Alternatively, the user 102 oradministrator 126 may create the distribution list and its correspondingsafe sender list on the edge server 114 directly such thatsynchronization is not necessary.

If the synchronization utility 110 does not operate in real time, then acorresponding distribution list 118 and safe sender list 120 on themailbox database server 112, and a corresponding distribution list 122and safe sender list 124 on the edge server 114 may not be exact copiesof the distribution list 106 and safe sender list 108 on the usercomputer 104 at all times. In one embodiment, the synchronizationutility 110 updates the mailbox database server 112 and the edge server114 on a daily basis. In other embodiments, the synchronization utility110 updates the servers more frequently including in real time. In stillother embodiments, the mailbox database server 112 is updated in realtime, but the synchronization utility 110 updates the edge server 114 ona periodic basis. In one embodiment of the invention, one serverperforms all of the functions of both the edge server 114 and themailbox database server 112, such that the system 100 consists of onlyuser computers, such as user computer 104, and a server.

In one embodiment of the invention, only the user 102 who created thedistribution list 106 and safe sender list 108 is authorized to modifythe lists. The system 100 prevents unauthorized individuals from makingany changes. In another embodiment of the invention, the user 102 whocreated the lists and the administrator 126 are authorized to modify thelists. In still another embodiment, the user 102, the administrator 126,and the other owners of addresses in the distribution list 106 areauthorized to make changes to the lists.

The system 100 of FIG. 1 illustrates an embodiment of the inventionwherein the distribution list 106 and safe sender list 108 are createdby the user 102 on the user computer 104, and the lists are copied tothe servers of the enterprise 116. Other embodiments of the inventionallow the distribution and safe sender lists to be created by anadministrator 126 or user 102 directly on a server of the enterprise116. In one embodiment, the distribution and safe sender lists aremaintained on a mail database server, updated by the user on that servervia a user computer connected to the server, and copied to the edgeserver.

In operation of the system 100, a sender outside of the enterprise 116sends an EMM 128 addressed to the distribution list 106. The edge server114 receives the EMM 128. The edge server 114 may optionallyauthenticate the address of the sender (i.e., sending address) viaauthentication methods known in the art (e.g., senderID andcertificates). A set of instructions 130 executed by the edge server 114determine whether the edge server's local copy of the distribution list122 includes any external addresses. If the distribution list 122 doesnot include any external addresses, then the edge server 114 blocksdelivery of the EMM 128 to the distribution list 118. The edge server114 may generate an error message and return it to the sending address,a server associated with the sending address may be instructed by theedge server 114 to generate an error message and provide it to thesending address, or the edge server 114 may take no action such that nostatus message is providing to the sending address. The administrator126 of the system 100 may be notified of the blocked EMM 128 so that theadministrator 126 can determine whether a denial of service attack orother EMM related malicious behavior is occurring.

If the EMM 128 is not blocked, then the instructions 130 determinewhether the sender (i.e., sending address) is authorized to send EMM tothe distribution list 106 by searching for the sending address in thecopy of the safe sender list 124 on the edge server 114. If the sendingaddress is on the safe sender list 124, then the EMM 128 is delivered tothe distribution list 118 without being filtered based on content by acontent filter 132 on the mailbox database server 112. If the sendingaddress is not on the safe sender list 124, then the EMM 128 is blockedfrom being delivered to the distribution list 118. Optionally, insteadof immediately blocking the EMM 128 from a sending address not on thesafe sender list 124, the EMM 128 may be processed by the content filter132. The content filter 132 examines the contents of the EMM 128, andthe EMM 128 is either blocked from the distribution list 118 ordelivered to the distribution list 118 based on the examined contentsand the rules of the content filter 132. The rules of the content filter132 are set by the administrator 126 based on the needs of theorganization. The rules may be designed to only reduce spam, or toprevent material inappropriate in the context of the particularenterprise 116 from reaching users in the enterprise 116.

In another embodiment of the invention, the edge server 114 determineswhether the distribution list 122 includes external addresses and eitherblocks the EMM 128 if the distribution list 122 does not have anyexternal addresses, or forwards the EMM to the mailbox database server112 if the distribution list 122 has an external address. The mailboxdatabase server 112 searches the safe sender list 120 for the sendingaddress and delivers the EMM 128 if the sending address is on the safesender list 120. If the sending address is not on the safe sender list120, then the EMM 128 is either blocked by the mailbox database server112 or filtered based on content by the content filter 132. Thisconfiguration frees resources on the edge server 114 such that thesystem 100 is less susceptible to denial of service attacks.

If the EMM 128 is delivered to the distribution list 118, then it issent to all of the addresses on the distribution list 118 whether theyare internal or external to the enterprise 116.

Referring next to FIG. 2, a method of processing an EMM received at aserver of an enterprise from a sending address outside of the enterpriseaddressed to a distribution list of the enterprise according to oneembodiment of the invention is illustrated. For example, the method maybe exercised by the server 114 executing the instructions 130. At 202, adistribution list and a corresponding safe sender list are stored on aserver of the enterprise. At 204, an EMM addressed to the distributionlist is received at the server. Optionally, at 206, the sending addressmay be authenticated. If the sending address cannot be authenticated,then the EMM is blocked at 210, or the EMM may optionally be examinedfor content at 216. Authenticating the sending address at 206 ensuresthat the distribution list is closed to outside senders. However,authentication may not be necessary in some embodiments because a useron the internet wanting to send spam (i.e., unwanted EMM's) to thedistribution list must first know an external address on thedistribution list and corresponding safe sender list. Hiding the membersof the distribution list in messages forwarded from the distributionlist to the members (i.e., displaying a nickname for the distributionlist instead of a list of the members of the distribution list in the“from” field of forwarded messages) makes it difficult for both internaland external users to discover the address of an external user on thedistribution list and corresponding safe sender list. Thus, hiding themembers of the list may provide sufficient security in some embodimentsof the invention such that authenticating the sending address is notpreferable.

If the sending address is authenticated at 206 or no authentication isundertaken, then at 208 the server determines whether the distributionlist includes any external addresses (i.e., is an external distributionlist). In one embodiment, the server may determine whether thedistribution list is external by comparing the addresses in thedistribution list to an authoritative domain list of the enterprise or aglobal authoritative list of the enterprise, or by checking a field ofthe distribution list. If the distribution list does not have anyexternal addresses, then at 210 the EMM is blocked from being deliveredto the distribution list. If the distribution list is an externaldistribution list, then at 212 the server determines whether the sendingaddress is on the safe sender list corresponding to the distributionlist. If the sending address is on the safe sender list, then at 214 theEMM is delivered to addresses of the distribution list. If the sendingaddress is not on the safe sender list, then the EMM is either blockedfrom being delivered to the distribution list at 210 or examined forcontent at 216. Based on the content of the EMM and predetermined rulesapplied to the content to determine whether the content is approved tobe delivered or not, it may be delivered to the distribution list at 214or blocked at 210.

When an EMM is blocked at 210, an administrator associated with theenterprise may be notified of the blocked EMM. Additionally, the serverof the enterprise may generate and send a status message to the sendingaddress, the server may generate and send a notification to a serverassociated with the sending address so that the server associated withthe sending address generates a status message and provides it to thesending address, or the server of the enterprise may take no action sothat no status message is provided to the sending address.

In operation, a computer executes the computer-executable instructions130 such as those illustrated in the figures to implement aspects of theinvention.

As discussed above, embodiments of the invention include methods forcreating and maintaining a plurality of safe sender lists, eachcorresponding to an external distribution list of an enterprise. In oneembodiment, a computer receives a distribution list in response to anevent such as a user creating the distribution list or a user sending anEMM to the distribution list. The computer compares the addresses in thereceived distribution list to an address list of the enterprise (e.g. anauthoritative domain list or a GAL) to identify any external addressesin the distribution list. The computer copies the identified externaladdresses to a safe sender list corresponding to the receiveddistribution list. The computer creates a safe sender list correspondingto the distribution list if it does not already exist.

The computer may modify a distribution list or safe sender list inresponse to input received from a user. The user input may be in theform of an EMM sent to the distribution list by a user or generated byan interface for modifying the lists. Additionally, permission to alterthe distribution list and/or corresponding safe sender list may belimited to the user that created the distribution list, or any owner ofan address on the lists may have such permission.

The order of execution or performance of the operations in embodimentsof the invention illustrated and described herein is not essential,unless otherwise specified. That is, the operations may be performed inany order, unless otherwise specified, and embodiments of the inventionmay include additional or fewer operations than those disclosed herein.For example, it is contemplated that executing or performing aparticular operation before, contemporaneously with, or after anotheroperation is within the scope of aspects of the invention.

Embodiments of the invention may be implemented with computer-executableinstructions. The computer-executable instructions may be organized intoone or more computer-executable components or modules. Aspects of theinvention may be implemented with any number and organization of suchcomponents or modules. For example, aspects of the invention are notlimited to the specific computer-executable instructions or the specificcomponents or modules illustrated in the figures and described herein.Other embodiments of the invention may include differentcomputer-executable instructions or components having more or lessfunctionality than illustrated and described herein.

When introducing elements of aspects of the invention or the embodimentsthereof, the articles “a,” “an,” “the,” and “said” are intended to meanthat there are one or more of the elements. The terms “comprising,”“including,” and “having” are intended to be inclusive and mean thatthere may be additional elements other than the listed elements.

Having described aspects of the invention in detail, it will be apparentthat modifications and variations are possible without departing fromthe scope of aspects of the invention as defined in the appended claims.As various changes could be made in the above constructions, products,and methods without departing from the scope of aspects of theinvention, it is intended that all matter contained in the abovedescription and shown in the accompanying drawings shall be interpretedas illustrative and not in a limiting sense.

1. A method of processing electronic mail messages addressed to aparticular distribution list of an enterprise from a sending addressexternal to the enterprise wherein the particular distribution list isone of a plurality of distribution lists associated with the enterprise,said particular distribution list comprising a list of electronic mailmessage addresses, said plurality of distribution lists includinginternal distribution lists having only internal addresses and externaldistribution lists having internal and external addresses, said methodcomprising: storing a plurality of safe sender lists, each stored safesender list corresponding to one and only one of the externaldistribution lists of the enterprise and each external distribution listcorresponding to one and only one of the stored plurality of safe senderlists, wherein for each particular external distribution list, itscorresponding safe sender list identifies particular external addresseswhich are authorized to send electronic mail messages to the particularexternal distribution list; receiving at a server of the enterprise anelectronic mail message addressed to one of the particular distributionlists, said received electronic mail message sent from a specificexternal sending address; first determining whether the particulardistribution list addressed by the received electronic mail message isan internal distribution list or an external distribution list; inresponse to first determining, if the particular distribution list is anexternal distribution list, then second determining whether the specificexternal sending address is one of the particular external addresses ofthe safe sender list corresponding to the particular distribution list;and selectively forwarding the received electronic mail message to theaddresses of the one of the particular distribution lists as a functionof the first determining whether the particular distribution list isinternal or external and as a function of the second determining whetherthe specific external sending address is on the safe sender list of theparticular distribution list, wherein said selectively forwardingfurther comprises: blocking the received electronic mail message frombeing delivered to the addresses of the particular distribution list ifthe first determining determines that the particular distribution listis an internal distribution list; delivering the received electronicmail message to the addresses of the particular distribution list if thefirst determining determines that particular distribution list is anexternal distribution list and if the second determining determines thatthe specific external sending address is identified in the safe senderlist corresponding to the particular distribution list; hiding theaddresses of members of the particular distribution list and thecorresponding safe sender list as a function of the delivering, bypreventing disclosure of addresses of the members of the particulardistribution list and the corresponding safe sender list, said hidingcomprising displaying a nickname for the members of the particulardistribution list and the corresponding safe sender list instead of theaddresses of the members; and blocking the received electronic mailmessage to the addresses of the particular distribution list if thefirst determining determines that particular distribution list is anexternal distribution list and if the second determining determines thatthe specific external sending address is not identified in the safesender list corresponding to the particular distribution list furthercomprising: adding or removing a particular address from the particulardistribution list by and responsive to said adding or removing, andwithout any further input, adding or removing the particular addressfrom the safe sender list corresponding to the particular distributionlist.
 2. The method of claim 1 further comprising content filtering thereceived electronic mail message if the particular distribution list isan external distribution list and the sending address is not identifiedin the safe sender list corresponding to the particular distributionlist.
 3. The method of claim 1 wherein said blocking comprises at leastone of the following: providing no status message or notice to anexternal server associated with the sending address; generating a statusmessage at the server of the enterprise and providing said statusmessage to said sending address; generating a notice at the server ofthe enterprise, providing said notice to a server associated with thesending address, generating a status message at the server associatedwith the sending address in response to the received notice, andproviding said status message to said sending address; and notifying anadministrator associated with the enterprise of the blocked electronicmail message.
 4. The method of claim 1 further comprising authenticatingthe sending address and blocking the electronic mail message from beingdelivered to the particular distribution list if the sending address isnot authenticated.
 5. The method of claim 1 wherein the particulardistribution list is created by a user other than an administrator at auser computer and subsequently copied to the server.
 6. A system forprocessing an electronic mail message received by an enterpriseaddressed to a particular distribution list of the enterprise from asending address external to the enterprise wherein the particulardistribution list is one of a plurality of distribution lists of theenterprise, said particular distribution list comprising a list ofelectronic mail message addresses, said plurality of distribution listsincluding internal distribution lists having only internal addresses andexternal distribution lists having internal and external addresses, saidsystem comprising: a server of the enterprise for receiving theelectronic mail message addressed to the particular distribution list,said received electronic mail message sent from a specific sendingaddress external to the enterprise; a plurality of safe sender listsstored on the server, each stored safe sender list corresponding to oneand only one of the external distribution lists of the enterprise,wherein each external distribution list corresponding to one and onlyone of the stored plurality of safe sender lists, wherein for eachexternal distribution list, its corresponding safe sender listidentifies external addresses which are authorized to send electronicmail messages to the corresponding external distribution list; andwherein the server executes instructions for: first determining whetherthe particular distribution list addressed by the received electronicmail message is an internal distribution list or an externaldistribution list; in response to first determining, if the particulardistribution list is an external distribution list, then seconddetermining whether the specific external sending address is one of theparticular external addresses of the safe sender list corresponding tothe particular distribution list; and selectively forwarding thereceived electronic mail message to the addresses of the particulardistribution list as a function of the first determining whether theparticular distribution list is internal or external and as a functionof the second determining whether the specific external sending addressis on the safe sender list corresponding to the particular distributionlist, wherein said selectively forwarding further comprises: blockingthe received electronic mail message from being delivered to theaddresses of the particular distribution list if the first determiningdetermines that the particular distribution list is an internaldistribution list; delivering the received electronic mail message tothe addresses of the particular distribution list if the firstdetermining determines that the particular distribution list is anexternal distribution list and if the second determining determines thatthe sending address is identified in the safe sender list correspondingto the particular distribution list; in response to the delivering,hiding the addresses of members of the particular distribution list andthe corresponding safe sender list by preventing disclosure of addressesof the members of the particular distribution list and the correspondingsafe sender list, said hiding comprising displaying a nickname for themembers of the particular distribution list and the corresponding safesender list instead of the addresses of the members; and blocking thereceived electronic mail message from the addresses of the particulardistribution list if the first determining determines that theparticular distribution list is an external distribution list and thesecond determining determines that the specific external sending addressis not identified in the safe sender list corresponding to theparticular distribution list further comprising: adding or removing aparticular address from the particular distribution list by andresponsive to said adding or removing, and without any further input,adding or removing the particular address from the safe sender listcorresponding to the particular distribution list.
 7. The system ofclaim 6 wherein the server further content filters the receivedelectronic mail message if the particular distribution list is anexternal distribution list and the sending address is not identified inthe safe sender list corresponding to the particular distribution list.8. The system of claim 6 wherein if the server blocks the electronicmail message from the particular distribution list, then at least one ofthe following: the server of the enterprise does not return a statusmessage or notice to an external server associated with the sendingaddress; the server of the enterprise generates a status message andprovides said status message to said sending address; the server of theenterprise generates a notice, provides said notice to a serverassociated with the sending address, the server associated with thesending address generates a status message in response to the receivednotice, and the server associated with the sending address provides saidstatus message to said sending address; and the server of the enterprisenotifies an administrator associated with the enterprise of the blockedelectronic mail message.
 9. The system of claim 6 wherein the serverauthenticates the sending address and blocks the electronic mail messagefrom being delivered to the particular distribution list if the sendingaddress is not authenticated.
 10. The system of claim 6 wherein theparticular distribution list is created by a user other than anadministrator at a user computer and subsequently copied to the server.11. The system of claim 6 wherein: addresses are added to or removedfrom the particular distribution list by a user other than anadministrator; and addresses are added to or removed from the safesender list corresponding to the particular distribution list by a userother than an administrator.
 12. A method of creating or maintaining aplurality of safe sender lists, each safe sender list corresponding toone and only one external distribution list of a plurality of externaldistribution lists of an enterprise and each external distribution listcorresponding to one and only one safe sender list, each of saidexternal distribution lists comprising a list of electronic mail messageaddresses including addresses internal to the enterprise and addressesexternal to the enterprise, wherein each safe sender list identifiesaddresses external to the enterprise which are authorized to sendelectronic mail messages to the external distribution list correspondingto the safe sender list, said method comprising: receiving an electronicmail message addressed to a particular distribution list of theenterprise, said received electronic mail message sent from a specificsending address external to the enterprise, said electronic mail messageincluding a plurality of addresses in addition the particular externaldistribution list; first determining whether the particular distributionlist addressed by the received electronic mail message is an internaldistribution list or an external distribution list; in response to firstdetermining, if the particular distribution list is an externaldistribution list, then second determining whether the specific externalsending address is one of the particular external addresses of the safesender list corresponding to the particular distribution list; blockingthe received electronic mail message from being delivered to theaddresses of the particular distribution list if the first determiningdetermines that the particular distribution list is an internaldistribution list; delivering the received electronic mail message tothe particular distribution list if the first determining determinesthat the particular distribution list is an external distribution listand if the second determining determines that the sending address isidentified in the safe sender list corresponding to the particulardistribution list, wherein said delivering comprises at least one of thefollowing: comparing the plurality of addresses of the receivedelectronic mail message to at least one of a global authoritativeaddress list of the enterprise and a domain list of the enterprise toidentify addresses of the received plurality of addresses which areexternal to the enterprise, and hiding only the addresses of members ofthe particular distribution list and the corresponding safe sender listto prevent disclosing addresses of the members, said hiding comprisingdisplaying a nickname for the distribution list instead of the addressesof the members; and copying the identified external addresses to thesafe sender list corresponding to the particular distribution list; andblocking the received electronic mail message from the particulardistribution list if the first determining determines that theparticular distribution list is an external distribution list and thesecond determining determines that the specific external sending addressis not identified in the safe sender list corresponding to theparticular distribution list.
 13. The method of claim 12 furthercomprising adding or removing an address from the safe sender list inresponse to the received electronic mail message.
 14. The method ofclaim 13 further comprising further comprising determining whether thereceived electronic mail message is from a user who created the receiveddistribution list and adding or removing an address from the safe senderlist only if the sender of the received electronic mail message isdetermined to be the user who created the received distribution list.